Does the GDPR Apply to US Companies? 4 Reasons Why It Probably Does

With just a few months before enforcement of the GDPR (General Data Protection Regulation) kicks in, you may still be wondering “does the GDPR really apply to my business?” After all, the regulation was written in the EU, by the EU, and for EU citizens, so it doesn’t really apply to my US-based business, right? Considering how committed the data protection authorities are to enforcing the regulation, here are 4 reasons why you should reconsider:

GDPR’s scope reaches beyond the European Union

GDPR broadens the definition of “personal data”

GDPR specifically includes “profiling”, a common practice used across the web

Fines. Fines. Fines. Failure to comply could be costly.

#1 GDPR’s scope reaches beyond the European Union

The GDPR was written with the express intent to declare data protection as a fundamental right for each citizen of the EU. Recital 1 of the GDPR is pretty clear on this. The focus of the law is ensuring that EU citizens are granted control over the use of their personal data and that consent be “freely-given, specific, informed and unambiguous” for certain uses, declared ahead of time.

In this sense, the regulation focuses less on the location of a business and more on the individual citizen’s right. Article 3, and Recitals 24 and 25, outline that a business (data controller or data processor, doesn’t matter) needn’t be physically located within the EU for the regulation to apply. If personal data of an EU citizen is being processed and your business targets the EU market—for instance your site content is served in their local language or is clearly EU focused—then you may be subject to the GDPR. For companies that offer goods and services to EU citizens, even if those goods or services don’t require payment, then the regulation also applies. Understanding that the scope of the law is designed to protect an EU citizen’s data privacy rights, regardless of where the data processor or data controller may be located, is the key here.

#2 GDPR broadens the definition of personal data

Naturally you may be left wondering “what constitutes personal data?” The regulation seeks to both establish data protection as a fundamental right and attach a much broader definition to personal data, building upon what was previously established by the Data Protection Directive (DPD). Some examples of personal data cited by the GDPR (Art. 4(1)):

Name

Identification number

Location data

Online identifier

Any of these that can be used, directly or indirectly (or combined with other pieces of data), to identify a natural person are now considered to be personal data under the scope of the law.

This list is significant because location data and online identifiers are used regularly by marketers across the web to provide more relevant experiences, and were previously considered outside the definition of personal data. For example, many websites use location data to localize the language or personalize content to visitors. With location data now potentially being defined as personal data, website owners may need to establish a legal basis to process and leverage that data.

So, what’s an “online identifier”, the last example on the list above? Recital 30 of the GDPR defines online identifiers as any of the following (though the list is likely not exclusive):

IP address

Cookie identifiers

Radio frequency identification

Just like location data, cookie identifiers and IP addresses are also regularly used by digital marketers to personalize content and advertising. The result of this broader definition of personal data means that organizations who do this may need to reconsider their marketing practices under the GDPR.

#3 GDPR Affects the Use of Profiling

Another common use of cookies, IP addresses, and location data is to establish a “profile” of a user for the purpose of running interest-based advertising. This is called “profiling” and in the US, it’s often referred to as “digital tracking”

Profiling is widely used across the web to provide more targeted and relevant advertising. This is largely dependent on the use of cookies, though techniques like device fingerprinting offer an alternative.

Article 3 (2)(b), and Recitals 23 and 24, are clear on their intent to establish a territorial scope beyond the European Union. Monitoring, or profiling, of a European citizen over the web, regardless of whether it’s happening on a US-based website or not, likely meets the definition of personal data and is subject to GDPR.

As the Article 29 Working Party has indicated, profile-driven online advertising may well be subject to the legal authority of GDPR, depending on the intrusiveness of the process, the expectations of the individuals concerned, how the ad is delivered, and the vulnerabilities of the targeted individuals.

#4 Fines. Fines. Fines. Failure to comply could be costly.

If you’re still unsure whether GDPR applies to your business, consider the cost of non-compliance: 4% of annual global revenue or up to €20M—whichever is greater. The staggering amount is the reason why GDPR is on every business leader’s mind. Data protection authorities are scaling up their teams to enforce compliance and empowered by Article 80 and Recital 142, privacy-minded groups, such as NOYB, are offering citizens the means to organize and take collective legal action against organizations that violate their data privacy rights. So, don’t assume regulators are the only ones that will be checking for compliance.

Although we’ve spoken mostly here about web-profiling and capturing online consent, GDPR extends well beyond that, and ultimately the question of whether the law applies to your US-based business will need to be answered by your legal team. Given how committed the data protection authorities are to enforcement and how steep the fines are, you need to at least ask yourself “is the risk of non-compliance worth it?”